=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

zs5n5sI6N2.dll

Status: finished
Submission Time: 2022-05-25 11:17:13 +02:00
Malicious
E-Banking Trojan
Trojan
Evader
Ursnif

Comments

Tags

  • dll
  • Gozi
  • ITA
  • ursnif

Details

  • Analysis ID:
    633919
  • API (Web) ID:
    1001421
  • Analysis Started:
    2022-05-25 11:25:19 +02:00
  • Analysis Finished:
    2022-05-25 11:42:20 +02:00
  • MD5:
    9ce6868cb546819a7ba2fc27f91a3777
  • SHA1:
    6052120b0375f44ede4985ad98f7bd89beb70c2b
  • SHA256:
    fc4bee1a68545b7067fad93ba74478641acd683117f9fe478a4941d7146db959
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
17/41

malicious

IPs

IP Country Detection
176.10.119.68
Switzerland

URLs

Name Detection
http://176.10.119.68/
http://176.10.119.68/drew/ELiX5C1LBrOXGVb_2F7VT_2/F3y7AZYCgC/OAzMBADjwIAAgevJ7/Ln8DdTMzAOtI/oaRRlHeZ
http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB9pAoQo46tq53qB/yLUp2d5T9/j5s74YMStQa0vycAYVnz/i1_2BT1sbtGbsqmiKYJ/utxS2UAD48D_2FhKmTNhPj/C7HmcyJhh_2BI/RoK5qxzW/AONvbwwgZ6joXACVCUjXkBm/TrT5RUjDbT/JqnBRntI67DVKvl4U/zabjaRP4H3Fa/y7F2cIC4htT/NfLmrAWL7x6jSO/onSOjeHvFKi2HNfNhR_2F/KXsh6.jlk
Click to see the 6 hidden entries
http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco/TjSDtFakSde/soGhjhBV5Tb5mX/q7nM_2FDyGsXlD3E3A4fe/_2ByGCIGrgekC2k4/_2BIghzEoEtICMG/eMdl_2FVYz1Gzr3rXb/6bQxvF882/0gJazcAIQC6vmyI4DEnR/k0LRXXmFX8YlpSLVUNq/6DaeywiN2GwHaJFGl8Ik7G/m9UBKgfO4ybSV/fnhYeS0x/hab1JQvgZCtDWyU/A.jlk
http://176.10.119.68/drew/bht18BKt3t1ka1/EyRQXKSxK1fGGVQT69xe7/l12WvU97arR8lucE/BPan_2BqxdC9XZm/a6pB
http://176.10.119.68/drew/RGq_2BVJ/3BCdlnfIA49R8s_2BXe1s3i/VFrZ4awbB4/zmZ34_2Bwuhkj_2Fp/SYr8rby3ftco
http://https://file://USER.ID%lu.exe/upd
http://constitution.org/usdeclar.txt
http://constitution.org/usdeclar.txtC:

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_2ce29cfeeebc853567a148791f146b4541ff5338_7cac0383_0c0874ee\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_34661168243cfabc5e1ee2a141f8dfa8ff2298_7cac0383_1454ac5a\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5a7bdef4ffd6df7a7664cf7158b49db77a1e6c9_7cac0383_07688b93\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 26 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E47.tmp.dmp
Mini DuMP crash report, 15 streams, Wed May 25 09:26:37 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7136.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER72FC.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FAC.tmp.dmp
Mini DuMP crash report, 15 streams, Wed May 25 09:26:42 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER82CA.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8461.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CE9.tmp.dmp
Mini DuMP crash report, 15 streams, Wed May 25 09:26:51 2022, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA650.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7A9.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\0rxpcrxp\0rxpcrxp.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\AppData\Local\Temp\0rxpcrxp\CSC81748258BEC6426288BE9680C960B04E.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\RESBB61.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\RESDBAB.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnpdahnp.it4.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5tkumna.vlc.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\rn2v1u0v\CSCE8729092494447E68BAFD2B3DE7C4FE.TMP
MSVC .res
#
C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.0.cs
UTF-8 Unicode (with BOM) text
#
C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
#
C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\rn2v1u0v\rn2v1u0v.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
#
C:\Users\user\Documents\20220525\PowerShell_transcript.468325.mIKzyOcS.20220525112740.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#